Just a note. I have been trying to get Nathan Sparks to enforce database passwords with Open Dental 19.2. I even made a compromise after creating the Open Dental Privilege Escalation tool. I asked him if he could create a 30 day reminder screen.
Since then, I found a database and file share exposed to the internet with Shodan, I was even able to find out who the office was based off the CN= in their remote desktop.
There are many more databases exposed to Shodan if you search by the MySQL version.
I would say about 98% of Open Dental Users do not have a database password set.
I like Open Dental, I like how they let us set database passwords... but.. they don't enforce that.
I argue if even 1 SSN can be taken because of the lack of enforcement, then it is worth enforcing.
With Dentrix G6.2 onward, every customer has a UNIQUE database password, based off of a UNIQUE database passphrase. And that is NICE.
Since then, I found a database and file share exposed to the internet with Shodan, I was even able to find out who the office was based off the CN= in their remote desktop.
There are many more databases exposed to Shodan if you search by the MySQL version.
I would say about 98% of Open Dental Users do not have a database password set.
I like Open Dental, I like how they let us set database passwords... but.. they don't enforce that.
I argue if even 1 SSN can be taken because of the lack of enforcement, then it is worth enforcing.
With Dentrix G6.2 onward, every customer has a UNIQUE database password, based off of a UNIQUE database passphrase. And that is NICE.